Personal information online code of practice 


Personal information online 
small business checklist 


This checklist will help small and medium sized 
businesses that operate online to make sure they collect 
and use information about the people they deal with 
properly. This checklist applies to information such as 
customers’ names and email addresses, or records of their 
purchases or enquiries. It also applies to information 
collected through the use of a ‘cookie’, for example where 
this is used to target marketing at people. 


Adopting the following good practice points will give you a competitive 
advantage because people will trust you with their information and 
will be more willing to provide the information you need to run your 
business successfully. 


° Consider whether you actually need to collect information about 
people. Don’t ask people to login, register or provide their 
personal details unless you need them to. It is acceptable to 
ask for this information once people make an enquiry or decide 
to do business with you. 


° When you collect information about people they should know who 
you are and what you're going to do with their information. There 
should be a clear, prominent explanation of this on your website. 


° You are under a legal duty to keep customer information secure. 
Ask your IT supplier to give you advice on encrypting information 
and make sure staff with access to the information are trained to 
keep it secure and look after it properly. 


° If you use a subcontractor, for example to manage your 
database, make sure there is a written contract in place that 
requires them to look after your information properly, including 
keeping it secure. 
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° If you are going to use customer information to send them 
marketing material, eg promotional emails, give them a clear 
choice over this. You should be aware that different rules under 
the Privacy and Electronic Communications Regulations 2003 might 
apply depending on the method you use to send the marketing. 


° Your website might show content provided by third parties, for 
example adverts. Although you may not be legally responsible 
for this content, your customers may assume you are. 
Therefore it is good practice to act as a single point of contact 
for the content displayed on your site. For example you need to 
have proper procedures in place where a customer objects to a 
particular advert. 


° Ensure that you only collect the information that you use. 
If you no longer require the information then stop collecting 
it and dispose securely of any unnecessary information that 
you may have collected. 


° Remember that people have a right of access to information 
you hold about them. Make sure your staff recognise a ‘subject 
access request’ and know how to deal with it. 


° Encourage your customers to check the information you hold 
about them, for example by giving them online access to their 
account details. Give them facilities for updating and correcting 
their records if they are wrong. 


For further information on collecting and using personal data online, 
see the full Personal information online code of practice. 


https://ico.org.uk/media/for-organisations/documents/1591/ 
personal_information_online_cop. pdf 


For further information and good practice advice regarding data 
protection in general, see The Guide to Data Protection. 


https://ico.org.uk/for-organisations/guide-to-data-protection/ 
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